cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This is a pre-release for cert-manager v1.20.0. Please help with testing!
Changed since v1.20.0-alpha.0
This alpha release adds experimental XListenerSet support, NetworkPolicy and CRD selectable field features, fixes critical bugs including an infinite re-issuance loop and IPv6 HTTP-01 challenge issues, patches security vulnerabilities (CVE-2025-61727, CVE-2025-61729), promotes OtherNames to Beta and DefaultPrivateKeyRotationPolicyAlways to GA, and changes the default container UID/GID from 1000/0 to 65532/65532.
Add a set of flags to permit setting NetworkPolicy across all deployed containers.
Remove redundant global IP ranges from example policies. (#8370, @jcpunk)
Add selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#8256, @tareksha)
Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#8355, @dancmeyers)
Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#7728, @jcpunk)
For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @k0da)
Improve error message when CA issuers are misconfigured to use a clashing secret name (#8374, @majiayu000)
Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#8244, @lunarwhite)
Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#8195, @StingRayZA)
Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#8228, @terinjokes)
Bug or Regression
Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#8232, @eleanor-merry)
Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#8403, @calm329)
Fixed an issue where HTTP-01 challenges failed when the Host header containing an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#8424, @SlashNephy)
Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#8443, @alviss7)
Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#8290, @octo-sts[bot])
Other (Cleanup or Flake)
Promoted the OtherNames feature to Beta and enabled it by default (#8288, @wallrj-cyberark)
The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) (#8408, @wallrj-cyberark)
The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. (#8287, @wallrj-cyberark)
Update cert-manager's ACME client, forked from golang/x/crypto (#8268, @SgtCoDFish)
Use the latest version of Kyverno (1.16.2) in the best-practice installation tests (#8389, @wallrj-cyberark)
Rebranding of the Venafi Issuer to CyberArk (#8215, @iossifbenbassat123)
Add GWAPI documentation to NOTES.TXT in helm chart (#8353, @jaxels10)
We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. (#8426, @hjoshi123)